Home / malwarePDF  

Worm:Win32/Phorpiex.B


First posted on 15 February 2019.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Phorpiex.B.

Explanation :

Installation

Worm:Win32/Phorpiex.B creates a copy of itself at the following file location, then runs this copy:  

%USERSPROFILE%M-1-74-6482-7942-8945winsvc.exe 

The worm then makes the following changes to the registry to ensure its runs each time Windows starts:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "Microsoft® Windows Update"
With data: "%USERSPROFILE%M-1-74-6482-7942-8945winsvc.exe"

Spreads via…

Removable drives

The worm enumerates drives on the infected PC, looking for removable drives (that are not A: and B:).

If found, the worm makes a copy of itself, such as the following, with 'hidden' and 'system' file attributes:

:windrvs32.exe 

The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

If the worm finds any folders on the removable drive, it sets the 'hidden' attribute for these folders and creates a shortcut file with the name of the folder. This shortcut file points to a copy of the malware which is stored in a hidden folder within the drive named "94728631". For example, if the worm finds ':MyFolder', it creates ':MyFolder.lnk' which points to a copy of the worm, as in ':94728631MyFolder.exe'.

Windows Live Messenger

Worm:Win32/Phorpiex.B checks to see if Windows Live Messenger is installed on the infected PC, and if found, it sends a message to all of the infected user's contacts with a message and a link to a copy of itself.

The message can be one of several different phrases, and is dependent on the locale and system language of the infected computer. Some examples of the message can be seen below:

English: tell me what you think of this picture i edited this is the funniest photo ever! tell me what you think of this photo i don't think i will ever sleep again after seeing this photo i cant believe i still have this picture should i make this my default picture? French: je ne pense pas que je vais pouvoir dormir après avoir vu ces photos. je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier. devrais-je mettre cette photo de profile? c'est la photo la plus marrante! dis moi ce que tu pense de cette photo de moi? mes parents vont me tués si ils trouvent cette photo  Spanish: creo que no voy a poder dormir más despues de ver esta foto. mirá no puedo creer que todav a tengo esta foto tuya del invierno pasado, te acordas? quedarí a bien si pongo esta foto en mi perfil? o me veo medio mal? esta foto es gracios mis padres me van a matar si ven esta foto mia, que decis? German: wie findest du das foto? hab ich dir das foto schon gezeigt? das foto solltest du wirklich sehen schau mal das foto an unglaublich welche fotos leute von sich machen schau mal so will ich nicht aussehen wenn ich alt bin schau mal welches foto ich gefunden hab bist du das auf dem foto? kennst du das foto schon? Dutch ken je dat foto nog? kijk wat voor een foto ik heb gevonden zo iets leilijk heb ik nog nooit in mijn leven gezien ik hoop dat jij het net bent op dit foto ben jij dat op dit foto? dit foto zal je echt eens bekijken! ken je dit foto al? Romanian: nu imi mai voi face niciodat poze!! toate ies urate ca asta. spune-mi ce crezi despre poza asta. asta e ce-a mai funny poza! tu ce zici? zimi ce crezi despre poza asta? nu cred ca voi mai putea dormi dupa ce am vazut poza asta. tu ce zici? Italian: ti piace la foto? hai visto questa foto? la foto e grandiosa! ti ricordi la Foto? dopo che hai visto la foto, tu non dormirai piu conosci la persona in questa foto? chi e in questa foto? Payload

Modifies system security settings

The worm may modify Your PC security settings by making changes to the registry; by doing so, it adds itself to the list of trusted processes that are authorized to access the network. It may do this by adding an entry to the following registry key:

HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList

Allows backdoor access and control

Worm:Win32/Phorpiex.B attempts to connect to the IRC server "srv6207.com", join a channel and wait for commands.

Using this backdoor, an attacker can perform a number of actions on an affected computer, including the following:

Remove itself Download and execute arbitrary files Spread via Windows Live Messenger Perform a Denial of Service attack (SYN flood) on a specific target

Analysis by Amir Fouda

Last update 15 February 2019

 

TOP